The Bank Account Takeover Epidemic

NEW YORK (MainStreet)Even Microsoft billionaire Paul Allen's account was not safe from account takeover.

In Pittsburgh last month an AWOL Army private - who had a few months of community college education - told the court how he used a public computer to sniff out Paul Allen's Social Security number, his bank account numbers, his date of birth and his mailing address.

"For $9.95 you can buy on the Internet a background report on just about anybody that will give you what you need to take over an account at many banks," said a security officer at a large financial institution. He said the report likely would have past addresses, history of property ownership, cars owned, parents' names and mother's maiden name, probably high school attended, are you getting the picture? Just about every challenge question - where did you live in 1st grade? - can be answered with a glance at the background report, and if that fails, there are Facebook and other social media outlets. To call this simple is to make it harder than it is.

Just when you want to withdraw all your money and stuff it into your mattress, know that banks and security outfits are hot in the chase for tools to prevent account takeovers, or at least to minimize the damage done.

And in a way the Paul Allen case proves that, too. Price, according to the trial testimony, attempted over $1 million in larceny. He apparently got away with under $1,000.

But know this: "This is a big problem and it is getting bigger," said Glen Sgambati, chief risk and security officer at Early Warning, a security company. "Banks have to get much more proactive about stopping it."

The search, said Sgambati, is currently focused on a hunt for "event triggers" - asking for a debit card to be sent to a Pennsylvania address not known to be associated with Paul Allen, for instance - but other event triggers include adding a co-signer, changing a cellphone number, changing a PIN. None of this is criminal per se- usually it is ordinary - but, said Sgambati, these are things account takeover thieves do and so an enhanced security outlook is called for.

Not all institutions follow those precautions.

Others, however, seek to authenticate every user and every transaction and, usually, they try to do it in ways that are unobtrusive to the typical user, said Gary McAlum, Chief Security Officer at USAA, a large bank headquartered in San Antonio. "We do a lot of monitoring. We do a lot of detection. Is this typical for this member?"

Sign on from an ISP in Lithuania, using a computer unknown to USAA, and seek to process a wire transfer to a new payee in Khabarovsk, Russia and, well, that is a scenario that probably will ring alarms in the security offices.

But, suggested McAlum, anomaly detection - good as it can be - is not the whole solution, because of one truth: "The consumer is the weakest link in the chain. Members unsuspectingly give their user ID and password away." And that is what often makes account takeover so challenging for bank security.

When the crook has all the proper ID - and knows all the right answers to security questions- who is to say he isn't you?

"That is where two factor authentication comes in--it would end a lot of this," said Mark Kay, CEO of StrikeForce Technologies, a New Jersey security company.

This is when - to proceed with a transaction - the user is prompted for something they know (a password for instance) and something they have (a onetime password generated via SMS to a cellphone for instance).

"Banks don't like it because it inconveniences customers, but it would end a lot of account takeovers," said Kay.

That is why part of the cure is on you. "We try to get the members involved," said USAA's McAlum.

How? At institutions that offer alerts - via email or SMS - for large transactions, sign up for them. Also sign up for balance alerts. If two-factor authentication is available, use it. The inconveniences involved are real but they are vastly less bothersome than being an account takeover victim, said the experts.

"Shared responsibility is how to stop this," said McAlum. "It takes banks working with engaged customers."